Introduction to: Sharing Cyber Threat Intelligence using STIX and TAXII (Part 1)
Abstract:
Due to the complexity of nowadays attack scenarios and the growth of adversary technologies and tools, it is a must for organizations to possess a cyber threat intelligence capability. A key component of success for such capability is sharing threat information with organizations they trust, especially if they are in the same sector or have a similar business type, which is likely to be targeted by the same adversary. While cyber threat intelligence and information sharing can help to make better security decisions, there are multiple issues organizations face on how to represent and share threat information across multiple organization that uses different security solutions. Hence, the need arises for a standard that provides a structured representations of threat information and a way to share them so that multiple security solutions can understand and deal with. The Structured Threat Information eXpression (STIX™) is a collaborative community developed language to represent structured threat information, and the Trusted Automated exchange of Intelligence Information (TAXII™) is the protocol that will be used to share/communicate these information. These standards were governed by OASIS: an international standards development organization.
In this blog we will try to answer these questions:
• What is Cyber Threat Intelligence (CTI)?
• Why do we need to share cyber threat intelligence
• The Cyber threat intelligence cycle
• Issues organizations face on how to share cyber threat intelligence
• What is STIX?
• What is TAXII?
• How they are used to share Cyber threat intelligence
What is Cyber Threat Intelligence (CTI)?
To answer this question, we will have to know the meaning of intelligence and threat in cybersecurity context.
What is intelligence?
There are lots of different definitions, but the key concepts to highlight on is that Intelligence consists of two parts: the first part is the collection and processing of information about an entity or adversary. The second part is to provide these processed information to concerned people in the organization to make decisions about security.
What is a threat?
A threat consists of three components: hostile intent, capability, and opportunity. The threat actor will perform an action on a target to cause damage.
Now back to the main question: What is Cyber Threat Intelligence?
Analyzed information about the threat of an adversary to an asset. These analyzed information enable defenders and their organizations to reduce harm through better security decision making.
The cyber threat information will provide answers of these questions:
1- Who are the adversaries?
2- What are the technologies, tools and infrastructures used by the adversary?
3- Where did the attack happen?
4- When did the attack occur? Establish a timeline.
5- Why it is targeted? what are the motives and intent?
6- How the adversary conducted the attack
7- What is the impact?
8- What course of action can we do about it?
The Intelligence Cycle:
To produce cyber threat intelligence, where to start? and what to do?
The cyber threat intelligence production cycle consists of five steps, there are lots of details on each step, but we will talk about it briefly:
1- Planning and Direction:
Every organization has different intelligence requirements or needs, which are request and knowledge gaps of what the people in the organization need from CTI.
Based on the intelligence needs of your organization, from where should the CTI team start collecting information? and what information to collect?
2- Collection:
Collecting information from the place planned in the previous step, to be processes and analyzed.
3-Processing:
Processing the information to be represented in a structured way that it is easy for the analyst to analyze.
4-Analysis and Production:
Analyzing the processed information.
5-Dissemination:
Sharing the analyzed information.
Figure 1 Cyber intelligence Cycle
Why do we need to share cyber threat intelligence?
Producing cyber threat intelligence based on the organization’s needs is a great way to start making decisions about the organization security well-being, but is it enough to cover the threat range? Suppose that there are two companies, company A and B that are in the same sector, providing a similar service. Companies in the same sector are highly likely to be targeted by the same adversary campaign. If an attack occurs on company A, and CTI team have produced the cyber threat intelligence on that attack, identifying the attacker tools and pattern, but this information is not shared with company B, if company B got attacked by the same adversary, the attack could succeed, but it could be prevented if the CTI was shared by company A. This is a problem that can be solved by sharing CTI between the two companies. Now you see the benefit of sharing CTI between two companies, imagine if a whole industry or business sector collaborated to share CTI between them, that will help to cover a wide range of the threats faced by these organizations.
Issues organizations face on how to share CTI:
Let us assume that there are two different companies, and each company has produced cyber threat intelligence that are ready to be shared. These two companies have an agreement to share these CTI with each other. The question here is how they will share this information? What are the problems they could encounter?
Figure 2 Scenario of sharing CTI between two companies
There are five main problems these two companies will face:
1- Reading CTI by Different Solutions:
CTI could be written on each solution with different formats. For example, one solution accepts CSV format, another accepts XML. How will the CTI be read by the different security solutions if the formats are different? To be able to share CTI with different security solutions, they must be in a standard format that is supported and understood by most security solutions.
Figure 3 Examples of security solutions used by different organization
2- Type of shared CTI information:
For example, does it mention information about behaviors, like Tactics, Techniques and Procedures (TTPs)? The shared CTI should provide the required depth and context of information for better detection.
These two problems led to the creation of “STIX standard”. STIX is the standard format that CTI will be written in, and it can be read by different security solutions that comply with the standard. We will talk about it in details later.
3- Sharing STIX CTI with Different Solutions
How can we share STIX CTI? STIX allows us to import CTI in one format to different security solutions that can understand it. However, to share STIX CTI through a Threat Feed, the exchange protocol must also be a standard that is understood by most security solutions.
This led to the creation of the “TAXI” protocol for sharing STIX CTI Feeds. We will talk about it in details later.
4- Automatic sharing of CTI:
Can we make sharing of CTI automatic?
Yes, using these standards once there is a sync between the two entities, they can make sharing CTI automatic.
5- Real time Monitoring:
Is it real time monitoring or user initiated? one of these standards features, is that it supports real time monitoring instead of user initiation monitoring. Once these feeds are imported in the security solution, it will be utilized by the security solution to empower its defense capability, without the need for user initiation.
After facing these problems, we see the need for a CTI Exchange standard.
Advantages of CTI exchange standard:
• Collaborative analysis, inside and outside the organization
• Expressive information
• Better detection rate
• Respond faster to attacks
• Automatic import of feeds
• Realtime CTI Monitoring
Conclusion
In this blog post, we shed the light on threat intelligence and the importance of collecting and sharing it in standardized formats (STIX and TAXII), and the benefits that brings to the overall cyber defense capability.
In part 2 of this blog post we will dive deeper into STIX and TAXII in further details to answer questions that might be hanging, stay tuned ;)
References:
1. The Cycle of Cyber Threat Intelligence
https://www.youtube.com/watch?v=J7e74QLVxCk&ab_channel=SANSDigitalForensicsandIncidentResponse